b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n\n  SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\n   CONTROLS OVER REDISCLOSURE OF\n        SENSITIVE INFORMATION\n      IN THE KANSAS CITY REGION\n\n     November 2007   A-07-07-17055\n\n\n\n\nEVALUATION REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                              SOCIAL SECURITY\nMEMORANDUM\n\nDate:      November 28, 2007                                                                  Refer To:\n\nTo:        Michael W. Grochowski\n           Regional Commissioner\n            Kansas City\n\nFrom:      Inspector General\n\nSubject:   Social Security Administration\xe2\x80\x99s Controls over Redisclosure of Sensitive Information in\n           the Kansas City Region (A-07-07-17055)\n\n\n           OBJECTIVE\n           Our objective was to evaluate the controls the Kansas City Region has in place to\n           ensure that sensitive information shared with State agencies and their contractors is not\n           being improperly redisclosed to unauthorized parties. 1\n\n           BACKGROUND\n           The Social Security Administration (SSA) through its computer matching program, also\n           known as the data exchange program, shares applicant and beneficiary information\n                                                                                     2\n           with State agencies for the purpose of verifying eligibility for benefits. The Social\n           Security Act requires that \xe2\x80\x9c\xe2\x80\xa6a State must have in effect an income and eligibility\n           verification system\xe2\x80\xa6\xe2\x80\x9d to administer federally-funded benefit programs such as\n                                                                              3\n           Medicaid, food stamps, and temporary assistance for families.\n\n\n\n\n           1\n             Sensitive information is defined by SSA as \xe2\x80\x9cinformation, the loss, or misuse, or unauthorized access to\n           or modification of which could adversely affect the national interest or the conduct of federal programs, or\n           the privacy to which individuals are entitled to under 5 U.S.C. \xc2\xa7 552a (the Privacy Act) \xe2\x80\xa6.\xe2\x80\x9d This includes\n           personally identifiable information (PII), which SSA defines as \xe2\x80\x9cinformation obtained from SSA that can be\n           used \xe2\x80\xa6 to identify a specific individual.\xe2\x80\x9d Examples of PII are name, Social Security number, Social\n           Security benefit data, birth date, or State or Government issued driver\xe2\x80\x99s license or identification number.\n           2\n               POMS GN03314.001J.2 and GN03314.155A.\n           3\n               The Social Security Act, \xc2\xa7 1137(a), 42 U.S.C. \xc2\xa7 1320b-7(a).\n\x0cPage 2 \xe2\x80\x93 Michael W. Grochowski\n\nSSA\xe2\x80\x99s written data exchange agreements comply with the Privacy Act, 4 which requires\nthe confidentiality of information maintained by Federal agencies and provides\nguidance on disclosing personal or sensitive information. The Privacy Act states the\ndata exchange agreement should include:\n\n      \xe2\x80\xa2   procedures for ensuring the administrative, technical, and physical security of the\n          records matched and the results; and\n\n      \xe2\x80\xa2   a ban on duplicating and redisclosing records provided by the source agency\n          within or outside the recipient agency, except as required by law or essential to\n          the matching program. 5\n\nEach SSA Regional Office has a Data Exchange (DX) coordinator who is the contact for\nState agencies that have a data exchange agreement with the Region. The DX\ncoordinator plays a vital role in assisting State agencies with issues and problems in the\ndata exchange process.\n\nThe Kansas City Regional Office requested this review because of concerns that\n                                                                           6\nunauthorized redisclosure of SSA\xe2\x80\x99s sensitive information may be occurring.\nAccordingly, we conducted a review of the Iowa Department of Human Services\n(IA-DHS) and eight of its contractors performing work in the areas of Medicaid and\nFoster Care. See Appendix B for the scope and methodology of our review and\nAppendix C for flow charts of the current data exchange process.\n\nRESULTS OF REVIEW\nOur review focused on the controls the Kansas City Regional Office has in place to\nensure that sensitive information shared with State agencies and their contractors is not\nbeing improperly redisclosed to unauthorized parties. 7 Specifically, we examined the\ncontrols the Kansas City Region has in place to prevent, detect and resolve instances\nof unauthorized redisclosure. We found that the controls in place to resolve reported\ndata exchange problems appear to be adequate. However, the controls to prevent and\ndetect unauthorized redisclosure need to be improved. Specifically, we found the\ncurrent controls did not prevent IA-DHS and two of its contractors from redisclosing\nsensitive information without authorization from SSA nor did the controls detect these\ninstances of redisclosure.\n\n\n\n\n4\n    The Privacy Act of 1974, 5 U.S.C. \xc2\xa7 552a.\n5\n    The Privacy Act of 1974, 5 U.S.C. \xc2\xa7 552a(o).\n6\n  Unauthorized redisclosure of sensitive information refers to the release of sensitive information to a user\nthat has not been granted access to the information through a signed data exchange agreement.\n7\n During the course of our review, SSA established a new data exchange agreement which was effective\nJuly 1, 2007. The prior data exchange agreement was in effect from January 2005 through June 2007.\n\x0cPage 3 \xe2\x80\x93 Michael W. Grochowski\n\nINSTANCES OF IMPROPER REDISCLOSURE OF SSA SENSITIVE INFORMATION\n\nOur review of IA-DHS and eight of its contractors identified instances where sensitive\nSSA information was improperly redisclosed. As such, IA-DHS violated the terms of the\ndata exchange agreement. Specifically, the following instances of improper\nredisclosure were identified:\n\n      \xe2\x80\xa2   An IA-DHS contractor duplicated SSA information including the Social Security\n          number (SSN) in its private computer system. The contractor used the SSN as a\n          primary identifier for tracking foster care clients. The data exchange agreement\n                                                                                         8\n          prohibits the duplication of sensitive SSA information without SSA\xe2\x80\x99s approval.\n\n      \xe2\x80\xa2   All IA-DHS and contractor employees located at the Iowa Medicaid Enterprise\n          facility had computer access to Medicaid reports containing SSA sensitive\n          information. Access to these reports should have been restricted only to\n          employees with a need to know such information. 9\n\n      \xe2\x80\xa2   IA-DHS allowed a contractor access to sensitive SSA information in its computer\n                                                                                 10\n          system without having a signed contractor redisclosure request form. The\n          contractor redisclosure request form obligates the contractors to follow the terms\n          of the data exchange agreement including securing SSA sensitive information.\n\n      \xe2\x80\xa2   An IA-DHS contractor shared paper copies of computer screen prints with\n          another State agency. The computer screen prints contained sensitive SSA\n          information including SSNs. Prior to sharing this information, a signed\n          redisclosure request form should have been in place.\n\nThese instances of improper redisclosure occurred because SSA did not have sufficient\ncontrols in place to help prevent the redisclosure or detect that the redisclosure had\noccurred. As the following discussion illustrates, SSA needs to improve its prevention\nand detection controls to reduce the risks associated with unauthorized disclosure.\n\n\n\n\n8\n  Prior data exchange agreement, Article X.A.3; new data exchange agreement, Article XIII.A.5. During\nthe course of our review, the IA-DHS instructed the contractor to delete the SSA sensitive information\nfrom its database.\n9\n    Prior data exchange agreement, Article IX.A.1; new data exchange agreement, Article XI.A.1.\n10\n  The Kansas City Regional Office created and used the contractor redisclosure request, \xe2\x80\x9cRequest to\nSSA to Include Contracted Agent in State Agreement,\xe2\x80\x9d in the Region\xe2\x80\x99s four States. The redisclosure\nrequest required signatures by the State agency director, the Regional Commissioner, and the\ncontractor\xe2\x80\x99s project director. The redisclosure request (1) obligated contractors to follow provisions in the\ndata exchange agreement, (2) stated the reasons for the contractor\xe2\x80\x99s access to sensitive information in\nthe State agency computer system, and (3) authorized the access. Effective with the new data exchange\nagreement, State agencies are required to obtain the contractors\xe2\x80\x99 written agreement to abide by the\nsecurity requirements, and the access, use, and disclosure restrictions in the data exchange agreement\nbefore the disclosure of sensitive information (Article XIII.A.6).\n\x0cPage 4 \xe2\x80\x93 Michael W. Grochowski\n\n                              One of SSA\xe2\x80\x99s primary controls in the data exchange\n     Prevention and           process is the data exchange agreement. SSA requires\n     Detection Controls       the State agency receiving sensitive SSA information to\n                              comply with the terms of the agreement. Furthermore,\nSSA requires the State agency to oversee contractor compliance with the agreement\xe2\x80\x99s\nredisclosure provisions and information safeguards when sensitive information is\nshared with contractors. Another control SSA has in place is compliance reviews\nconducted by SSA\xe2\x80\x99s Office of Systems Security Operations Management (OSSOM).\nThese reviews evaluate the computer system safeguards that SSA requires of the State\n         11\nagency. However, the reviews do not include the evaluation of safeguards in\ncontractors\xe2\x80\x99 private computer systems or detect the type of redisclosure instances we\nidentified during our review.\n\nThe data exchange agreement and the OSSOM reviews will not prevent or detect all\ninstances of improper redisclosure. For example, as previously discussed in this report,\none of the redisclosure instances we identified involved an IA-DHS contractor that\nduplicated sensitive SSA information. The data exchange agreement clearly prohibits\nduplication; however, it does not provide a process to detect it when it occurs. 12\nTherefore, SSA remains at risk for such instances of unauthorized redisclosure of its\nsensitive information since it does not have a process in place that would detect the\nunauthorized redisclosure.\n\nTo mitigate this risk, SSA would have to establish additional controls. SSA and IA-DHS\ncould consider performing reviews targeting instances of unauthorized redisclosure that\nwould not be identified by OSSOM\xe2\x80\x99s compliance reviews. In fact, SSA and IA-DHS\nhave the authorization to perform reviews of controls protecting SSA\xe2\x80\x99s sensitive\n            13\ninformation. However, no reviews of contractors\xe2\x80\x99 facilities, computer system\nsafeguards, or confidentiality and redisclosure practices have been conducted by the\nKansas City Regional Office or IA-DHS. According to IA-DHS, it plans to implement a\nprocess to begin reviews of contractors\xe2\x80\x99 information safeguards sometime this year.\n\n11\n  As part of the data exchange agreement, the State agency receives SSA guidelines on computer\nsystem security: \xe2\x80\x9cInformation System Security Guidelines for Federal, State and Local Agencies\nReceiving Electronic Information from the Social Security Administration.\xe2\x80\x9d The State agency is required to\n(1) implement computer security controls before the data exchange with SSA begins and (2) hold\ncontractors accountable for implementing the appropriate computer security.\n12\n  \xe2\x80\x9cExcept as necessary for the operation of this matching program, as provided in this agreement, files\nprovided by SSA will not be duplicated or disseminated within or outside the State Agency without the\nwritten approval of SSA. SSA will not grant such authority unless the redisclosure is required by law or is\nessential to the matching program. In such instances, the State Agency must specify in writing what\nrecords are being disclosed, to whom, and the reasons that justify such redisclosure.\xe2\x80\x9d (Sources: prior\ndata exchange agreement, Article X.A.3, effective January 2005 to June 2007; new data exchange\nagreement Article XIII.A.4, effective July 1, 2007).\n13\n  A provision in the prior data exchange agreement (Article IX.B) allowed SSA to conduct \xe2\x80\x9con-site\ninspections or make other provisions to ensure that adequate safeguards are being maintained\xe2\x80\xa6\xe2\x80\x9d at the\nState agency level. At the contractor level, SSA considers the State agency responsible for contractors\nand requires the agency to inspect the security of each contractor\xe2\x80\x99s facilities (POMS SM10801.500.5b).\nFinally, the contractor\xe2\x80\x99s agreement with IA-DHS gives authority to IA-DHS or IA-DHS\xe2\x80\x99 representative (such\nas SSA) to monitor and review contractors.\n\x0cPage 5 \xe2\x80\x93 Michael W. Grochowski\n\nThe absence of prevention and detection controls increases the risk of unauthorized\nredisclosure for SSA. To mitigate the risk, the Regional Commissioner, in cooperation\nwith the Office of the General Counsel, OSSOM, and Office of Automation Support\nshould consider:\n\n      \xe2\x80\xa2   Conducting periodic on-site inspections to verify whether State agencies\n          redisclose sensitive SSA information without authorization; and\n\n      \xe2\x80\xa2   Adding a provision in the data exchange agreement requiring the State agency\n          to perform periodic on-site inspections of contractors\xe2\x80\x99 sensitive information\n          safeguards, including confidentiality and redisclosure procedures and practices\n          as well as contractors\xe2\x80\x99 computer system safeguards.\n\nCONTROLS TO RESOLVE DATA EXCHANGE PROBLEMS\n\nThe Kansas City Regional Office\xe2\x80\x99s process for resolving data exchange problems\nappears to be adequate. The Regional Office\xe2\x80\x99s current process is for the State agency\nto report unauthorized redisclosure or other data exchange problems to the DX\ncoordinator in its Center for Programs Support. The DX coordinator works to resolve\nthe problem with the State agency by using regional resources first. If the problem\nrequires reporting to or further attention from SSA, the DX coordinator refers the\nproblem to one or more SSA components in Baltimore, Maryland for resolution. See\nFlow Chart 3, Appendix C, for a chart of the reporting and resolution process.\n\nWhen the data exchange problems involve the loss or possible loss of PII, the reporting\nrequirements for the Regional Office are outlined in the data exchange agreement. 14\nThe data exchange agreement requires that SSA will: (1) assume responsibility for\nmaking the contact within SSA so that a formal report is filed in accordance with SSA\nprocedures and (2) notify the Department of Homeland Security\xe2\x80\x99s United States\nComputer Emergency Readiness Team if loss or potential loss of PII related to the data\nexchange occurs. Accordingly, the Regional Commissioner should determine if the four\nincidences of redisclosure identified in this report meet the loss or possible loss of PII\ncriteria and take appropriate actions.\n\nCONCLUSION AND RECOMMENDATIONS\n\nWe reviewed IA-DHS and eight contractors to determine if the Kansas City Regional\nOffice had adequate controls to prevent, detect and resolve improper redisclosure of\nSSA sensitive information. Controls to resolve reported data exchange problems\nappeared to be adequate. However, SSA\xe2\x80\x99s controls to prevent and detect redisclosure\nwere not sufficient and need to be improved to reduce the risk of instances of\nunauthorized redisclosure like the ones identified in our review.\n\n\n\n\n14\n     SSA data exchange agreement, effective July 1, 2007, Article XII.\n\x0cPage 6 \xe2\x80\x93 Michael W. Grochowski\n\nImproper redisclosure of SSA sensitive information by State agencies and their\ncontractors is an inherent risk in the data exchange process and there is no way to\ncompletely prevent it from occurring. However, there are ways to mitigate the risk.\nAccordingly, we recommend the SSA Regional Commissioner:\n\n1. Ensure that State agency contractors in the Kansas City Region have signed an\n   agreement that obligates them to follow the terms in the data exchange agreement.\n\n2. Work with the appropriate Headquarters\xe2\x80\x99 components to determine when and by\n   whom periodic on-site inspections should be conducted to ensure that State\n   agencies in the Kansas City Region have sufficient controls in place to prevent and\n   detect the types of redisclosure instances we identified in our review.\n\n3. Work with the appropriate Headquarters\xe2\x80\x99 components to determine whether a\n   provision should be added to the data exchange agreement requiring the State\n   agency to perform periodic on-site inspections of contractors\xe2\x80\x99 safeguards for\n   sensitive information, including contractors\xe2\x80\x99 private computer system safeguards as\n   well as a review of confidentiality and redisclosure procedures and practices.\n\n4. Determine if the four incidences of redisclosure identified in this report meet the loss\n   or possible loss of PII criteria and take appropriate actions.\n\nAGENCY COMMENTS\n\nSSA agreed with our recommendations. The full text of SSA\xe2\x80\x99s comments is included in\nAppendix D.\n\n\n\n\n                                             Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Flow Charts of the Current Data Exchange Process\nAPPENDIX D \xe2\x80\x93 Agency Comments\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                    Appendix A\n\nAcronyms\n\nDX         Data Exchange\nIA-DHS     Iowa Department of Human Services\nOGC        Office of the General Counsel\nOSSOM      Office of Systems Security Operations Management\nPII        Personally Identifiable Information\nPOMS       Program Operations Manual System\nSSA        Social Security Administration\nSSN        Social Security Number\nU.S.C.     United States Code\n\x0c                                                                     Appendix B\n\nScope and Methodology\nTo meet our objective, we:\n\n\xe2\x80\xa2   Reviewed applicable Federal laws and regulations, as well as pertinent sections of\n    the Social Security Administration\xe2\x80\x99s Program Operations Manual System, and\n    Administrative Instruction Manuals.\n\n\xe2\x80\xa2   Reviewed related Office of the Inspector General reports and Government\n    Accountability Office reports.\n\n\xe2\x80\xa2   Reviewed Regional Office information related to redisclosure policy and issues.\n\n\xe2\x80\xa2   Reviewed the prior data exchange agreement between the Social Security\n    Administration (SSA) and Iowa Department of Human Services (IA-DHS), effective\n    January 2005 through June 2007, and the new data exchange agreement, effective\n    July 1, 2007.\n\n\xe2\x80\xa2   Conducted interviews of IA-DHS and eight of its contractors and performed security\n    walk throughs of offices and facilities.\n\n\xe2\x80\xa2   Reviewed policy and procedures from IA-DHS related to confidentiality and\n    safeguarding sensitive information; reviewed contractor redisclosure requests and\n    IA-DHS\xe2\x80\x99 contractors\xe2\x80\x99 agreements.\n\n\xe2\x80\xa2   Sent questionnaires to SSA components (Office of the General Counsel, Office of\n    Systems Security Operations Management, and Information Exchange and\n    Matching Team) requesting information on their roles in redisclosure policy and\n    issues; analyzed responses and created flow charts of the data exchange process.\n\nWe conducted our evaluation between December 2006 and March 2007 in Des Moines,\nIowa, and Kansas City, Missouri. We conducted the review in accordance with the\nQuality Standards for Inspections by the President\xe2\x80\x99s Council on Integrity and Efficiency.\n\x0c                                                                                  Appendix C\nFlow Chart 1: The Current SSA Data Exchange/ Matching\n       Agreement Process with a State Agency*\n                                            START\n\n\n\n\n                   Establish a new                              Renew the\n                   agreement with a                          agreement with a\n                     State agency                              State agency\n                     (18 months)                               (12 months)\n\n\n\n\n             -Regional Data Exchange (DX) Coordinator works with the State\n             agency to establish or renew the data exchange/matching agreement.\n\n             -The State\xe2\x80\x99s attorneys review the agreement.\n\n\n\n\n             Establish a new agreement                Renew the agreement\n\n\n\n\n             -Office of the General Counsel (OGC) reviews the agreement and\n             works with the Regional DX Coordinator on any modifications.\n\n             -OGC approves the agreement.\n\n\n\n\n             Regional DX Coordinator obtains the signatures of the State agency\n             and the Regional Commissioner on the new or renewed agreement.\n\n\n\n\n             Regional DX Coordinator sends a copy to Social Security\n             Administration\xe2\x80\x99s (SSA) Information Exchange and Matching Team and\n             to the State Agency, and keeps the original.\n\n\n\n* This flow chart describes the data exchange/matching process which began with the January 2005\nmodel agreements. The data exchange/matching agreement cycle is 30 months: 18 months for a new\nagreement with a 12-month renewal.\n\n\n\n                                                     C-1\n\x0c      Flow Chart 2: Implementing or Continuing the Data\n              Exchange/ Matching Operation*\n                                                     START\n\n\n\n          During the establishment of a new                        During the agreement renewal\n         agreement with a new State agency,                        process with the State agency\n                  (see Flow Chart 1),                                    (see Flow Chart 1),\n\n     the State agency transitions from the written             the State agency continues without\n     business process of the data exchange with                interruption the current data exchange/\n     SSA to implementing changes and/or                        matching process with SSA.\n     modifications in computer systems, policies,\n     and practices.\n\n\n\n\n     State agency implements Office of Systems                 State agency has already implemented\n     Security Operations Management\xe2\x80\x99s                          OSSOM information system security\n     (OSSOM) system security guidelines.                       guidelines.\n\n\n\n     The State agency begins the actual data                   State agency continues the data\n     exchange/ matching process with SSA.                      exchange/ matching process with SSA.\n\n\n\n\n   If a problem arises, the State agency contacts the DX Coordinator who determines the nature of the\n   problem and uses Regional resources first to resolve it, then contacts the appropriate SSA office(s).\n   [See next flow chart.]\n\n\n\n\n   OSSOM performs compliance reviews of SSA\xe2\x80\x99s computer system security requirements at the State\n   agency every 3 years.\n\n   - OSSOM and the DX Coordinator have coordinating roles before, during, and after the compliance\n   review.\n\n\n* This flow chart describes the data exchange/matching process which began with the January 2005\nmodel agreements. The data exchange/matching agreement cycle is 30 months: 18 months for a new\nagreement with a 12-month renewal.\n\n\n\n\n                                                     C-2\n\x0c Flow Chart 3: Resolution of Problems in the Current SSA Data Exchange/Matching Process*\n                                                                                                            START\n\n                                                                                      State agency contacts the Regional DX Coordinator\n                                                                                       with a data exchange/matching problem, including\n                                                                                                      redisclosure issues.\n\n\n                                                                                    Regional DX Coordinator determines the nature of the\n                                                                                   problem, works with the State agency, and uses Regional\n                                                                                            resources first to resolve the problem.\n                             RESOLUTION,\n                             using Regional\n                        resources, is conveyed                                     YES                Problem resolved?                NO\n                          to the State agency.\n                                                                                          If Regional resources are not sufficient,\n                                                                                    the Regional DX Coordinator contacts resource staff in\n                                                                                                      SSA components.\n\n\n\n       SSA Component: Office of              SSA Component:                              SSA Component: Office of                   SSA Component: Office of           SSA Component:\n       the General Counsel**                 Information Exchange and                    Systems Security Operations                Automation Support/ Data           Systems**\n       - Policy clarifications of the        Matching Team**                             Management**                               Exchange Team**                    - DX Coordinator makes a\n       Privacy Act                           - Policy clarifications of the data         - Security certification of State agency   - Coordinating role for Regional   Change, Asset, and\n       - Circumstances in which              exchange/matching agreement,                information systems                        DX Coordinators                    Problem Reporting System\n       information can be disclosed or       including redisclosure of                   - Compliance reviews                       - Contacts other components        request for assistance.\n       redisclosed                           information                                 - Advice on systems safeguards for         when problems are reported.        - Data formats\n                                                                                         sensitive information                                                         - Data transmission\n                                                                                                                                                                       - Connectivity problems\n\n                                                                               Working with the Regional DX Coordinator, one SSA\n                                                                               component may resolve the reported problem, or two\n                             RESOLUTION,                                      or more components may work together, depending on\n                         using SSA component\n                                                                                           the nature of the problem.\n                            resource staff, is\n                         conveyed to the State\n                                agency.\n\n\n\n* This flowchart describes the general problem resolution procedure in the data exchange/matching process which began with the January 2005 model agreements.\n\n** Office of the General Counsel/Office of Program Law; Office of Public Disclosure;\n   Office of Disability and Income Security Programs/Office of Income Security Programs/Office of Earnings and Information Exchange/Information Exchange and Matching Team;\n   Office of Financial Policy and Operations/Office of Systems Security Operations Management;\n   Office of Operations/Office of Automation Support/Division of Electronic Service Delivery/Data Exchange Team;\n   Office of Systems/Office of Earnings, Enumeration and Administrative Systems/Division of Information, Verification and Exchange Services/Data Exchange Branch.\n\n\n\n\n                                                                                                        C-3\n\x0c                                                                               Appendix D\n\nAgency Comments\n\nTo:       Inspector General\n\nFrom:        Regional Commissioner\n             Kansas City Region\n\nSubject: SSA\xe2\x80\x99s Controls over Redisclosure of Sensitive Information (A-07-07-17055) -\nResponse\n\nThank you for the opportunity to comment on the attached draft audit report. During the course\nof this audit, our staffs had several opportunities to meet and discuss the complexities of the data\nexchange process. I appreciate the amount of work that went into this audit and the preparation\nof this report.\n\nOur comments on OIG\'s recommendations are as follows:\n\n1. Ensure that State agency contractors in the Kansas City Region have signed an agreement that\n   obligates them to follow the terms in the data exchange agreement.\n\n      \xe2\x80\xa2   We agree with this recommendation. The requirements in SSA\'s data exchange\n          agreements changed with the July, 2007 agreement cycle. These changes were\n          incorporated to heighten awareness of agreement compliance issues at both the State and\n          Federal level. For example, the agreements now contain specific language regarding the\n          State\'s use of contractors. In addition, they require State Agencies to provide\n          contractors/agents with a copy of the data exchange agreement and related attachments\n          before they provide the initial disclosure of data to the contractor/agent.\n\n2. Work with the appropriate Headquarters\' components to determine when and by whom\n   periodic on-site inspections should be conducted to ensure that State agencies in the Kansas\n   City Region have sufficient controls in place to prevent and detect the types of redisclosure\n   instances we identified in our review.\n\n      \xe2\x80\xa2   We agree with this recommendation. The Office of Systems Security Operations\n          Management (OSSOM) currently has jurisdiction for all Data Matching systems security\n          and agreement compliance reviews and conducts periodic onsite reviews (at least every\n          three years) to ensure compliance with the agreement. Recently, the Kansas City Region\n          has been assigned the Operation\xe2\x80\x99s Lead for a workgroup to explore how the regions can\n          assist with oversight of agreement compliance at the regional level. Onsite inspections\n\n\n                                                D-1\n\x0c       are one of many options the workgroup is taking under consideration to improve\n       agreement compliance. If this proposal is adopted, it would have the potential of\n       providing more frequent onsite reviews.\n\n3. Work with the appropriate Headquarters\xe2\x80\x99 components to determine whether a provision\n   should be added to the data exchange agreement requiring the State agency to perform\n   periodic on-site inspections of contractors\xe2\x80\x99 safeguards for sensitive information, including\n   contractors\xe2\x80\x99 private computer system safeguards as well as a review of confidentiality and\n   redisclosure procedures and practices.\n\n   \xe2\x80\xa2   We will refer this recommendation to our Headquarters component responsible for\n       writing the agreements. Although we agree with the content of this recommendation, the\n       language for the Computer Matching Agreements are determined at the Agency level and\n       approved by the Office of Management and Budget. We believe that State oversight of\n       contractors is critical to agreement compliance. The Kansas City led workgroup will\n       address how this could possibly be accomplished and, where appropriate, make\n       recommendations to the Deputy Commissioner for Operations for possible changes.\n\n4. Determine if the four incidences of redisclosure identified in this report meet the loss or\n   possible loss of PII criteria and take appropriate actions.\n\n   \xe2\x80\xa2   Through our prior experiences with State Agencies, we have found that one of the\n       obstacles to proper disclosure is the lack of a written definition of what constitutes \xe2\x80\x9cSSA\n       Information\xe2\x80\x9d as it relates to our computer matching process. Another task of the\n       aforementioned workgroup has been to establish a written definition of "SSA\n       Information" that can be easily understood and applied by all involved. This definition,\n       which has been approved by the Office of Public Disclosure (OPD), provides us with an\n       analysis tool for determining whether SSA or State information is involved in\n       redisclosures. Note: This definition was not available when OIG conducted this audit.\n\n       My staff will contact the State to expand upon the details concerning the redisclosures\n       referenced in the OIG report. We will apply the OPD-approved written definition of SSA\n       Information to our analysis of each of the redisclosure scenarios.\n\n       Should we determine that SSA Information was involved, we will refer the incidents to\n       our Regional Security and Integrity staff to determine if loss of Personally Identifiable\n       Information (PII) applies and take appropriate actions.\n\nIf you have questions, please contact me at 816-936-5700. If your staff needs additional\nassistance or information, they may contact Kathy Woolsey, Director, Center for Programs\nSupport by email at kathy.t.woolsey@ssa.gov or by phone at 816-936-5630.\n\n\n                                              /s/\n                                     Michael W. Grochowski\n\n\n                                                D-2\n\x0c                                                                       Appendix E\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Mark Bailey, Director, Kansas City Audit Division (816) 936-5591\n\n   Ron Bussell, Audit Manager (816) 936-5577\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Carol L. Cockrell, Senior Analyst\n\nFor additional copies of this report, please visit our web site at www.ssa.gov/oig or\ncontact the Office of the Inspector General\xe2\x80\x99s Public Affairs Specialist at (410) 965-3218.\nRefer to Common Identification Number A-07-07-17055.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Resource Management (ORM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                         Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure program\nobjectives are achieved effectively and efficiently. Financial audits assess whether SSA\xe2\x80\x99s\nfinancial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash flow.\nPerformance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs and\noperations. OA also conducts short-term management and program evaluations and projects on\nissues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                   Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                              Office of Resource Management\nORM supports OIG by providing information resource management and systems security. ORM\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, ORM is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c'